Re: "proving" a user received an email (good gosh)
From: Christopher Browne (cbbrowne@acm.org)Date: 06/24/02
- Next message: Dragan Cvetkovic: "Re: "proving" a user received an email (good gosh)"
- Previous message: Alan J Rosenthal: "Re: "proving" a user received an email (good gosh)"
- In reply to: gaius.petronius: ""proving" a user received an email (good gosh)"
- Next in thread: Dragan Cvetkovic: "Re: "proving" a user received an email (good gosh)"
- Reply: Dragan Cvetkovic: "Re: "proving" a user received an email (good gosh)"
- Reply: John Armstrong: "Re: "proving" a user received an email (good gosh)"
- Reply: robert@bonomi.invalid: "Re: "proving" a user received an email (good gosh)"
- Reply: Doug Freyburger: "Re: "proving" a user received an email (good gosh)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Christopher Browne <cbbrowne@acm.org> Date: 24 Jun 2002 14:58:34 GMT
A long time ago, in a galaxy far, far away, rut@linuxmail.org (gaius.petronius) wrote:
> "proving" a user received an email (good gosh)
>
> boss calls me in
> manager X is a liar, says he never received this damn email.
>
> i check the logs
>
> i see an entry about the time sender claims it was sent:
>
> exhibit A
> maillog:
> Jun 22 23:47:31 swm sendmail[5517]: g5MFlUu05517:
> from=<sender@address>, size=5988, class=0, nrcpts=2,
> msgid=<4778858448D8547D4A54BCC6118467D@>, proto=ESMTP, daemon=MTA
>
> i also see in
> exhibit B
> maillog:
> Jun 22 23:47:31 swm sendmail[5518]: g5MFlUu05517: to=<BigLiar>,
> delay=00:00:00, xdelay=00:00:00, mailer=local, pri=65536, dsn=2.0.0,
> stat=Sent
> maillog:Jun 22 23:47:31 swm sendmail[5518]: g5MFlUu05517:
> to=<AngryBOSS>, delay=00:00:00, xdelay=00:00:00, mailer=local,
> pri=65536, dsn=2.0.0, stat=Sent
>
> i see that the user also checked his email without errors
>
> exhibit C
> maillog:Jun 23 23:31:48 swm ipop3d[12224]: Login user=BigLiar
> host=4.unknown.com [227.1.0.n] nmsgs=2/2
>
>
> My question is, although i know that this 22:23:47:31 is most probably
> the mail in question, how can i link it to the message id
> 78858448D8547D4A54BCC6118467D@ ??
>
> This is probably more a security or forensics question.
> is there a way to tune the logs to report the message id of the email
> when the user logs in and receives?
>
> in exhibit C there is no apparent way i can say that he is receiving
> this particular message; all i can say is that the server is
> functioning properly and that there is no reason to doubt that when he
> logged in he did not receive all his email messages.
>
> is there a method to log the received message id?
"Is there a way?" is a question to which the answer is almost
certainly "yes."
Unfortunately, there's nothing that's _already_ available going to be
"provable in a court of law."
Since there is no end-to-end audit trail available, it's always going
to be possible for the _Mendacious Manager_ to come up with some
excuse to the effect that the message was dropped on the floor in
between the MTA and them.
It looks as though you have provided a _reasonable_ set of
information; the problem is that it's not something "reasonable" that
is going on.
The _TRUE_ problem that you've got is a political one, and it's not a
problem on the mail server. :-(
I'd suggest looking into logging copies of all email that is sent,
perhaps particularly targeting everything sent to the Mendacious
Manager; that would likely be most precisely done by "hacking" the POP
server to log messages (including their contents!) transmitted to
[MM].
How to do that certainly depends on your mail server.
Whether that's wise or not is a question you might pose to _your_
manager, and that's far more a political question than a technical
one.
If you propose ways of logging more about what's going on, then you're
jumping yourself into the political battle, and you should just be
aware that that's what you're doing. If you stay with existing/easy
instrumentation, you'll probably not "prove things beyond a shadow of
a doubt," but keep in mind that unless you're actually going to court,
you don't forcibly _need_ that kind of certainty.
If they plan to escort MM out of the office with a banker's box, that
doesn't require a full legal case; it just requires satisfying those
higher up that MM needs to be escorted out, and that the email
situation doesn't involve any clear mistake in the matter.
Noting that the dates appear to be near midnight, this sounds like
_highly_ political activity.
By the way, I'd think that Jun 23 23:31:48, when BigLiar apparently
checked email, is _before_ Jun 22 23:47:31, which is when the message
in question was sent. Maybe I'm wrong, but I don't _think_ the two
messages pulled in Exhibit C include the one described in Exhibits A
and B.
Make sure you check time stamps and that you look for the _next_ time
BigLiar pulled mail from the POP server, lest you run into a "temporal
warp" problem and claim that he got the message before it was sent. I
think you've got a "temporal warp" problem there...
-- (reverse (concatenate 'string "moc.enworbbc@" "sirhc")) http://cbbrowne.com/info/lisp.html ?OM ERROR
- Next message: Dragan Cvetkovic: "Re: "proving" a user received an email (good gosh)"
- Previous message: Alan J Rosenthal: "Re: "proving" a user received an email (good gosh)"
- In reply to: gaius.petronius: ""proving" a user received an email (good gosh)"
- Next in thread: Dragan Cvetkovic: "Re: "proving" a user received an email (good gosh)"
- Reply: Dragan Cvetkovic: "Re: "proving" a user received an email (good gosh)"
- Reply: John Armstrong: "Re: "proving" a user received an email (good gosh)"
- Reply: robert@bonomi.invalid: "Re: "proving" a user received an email (good gosh)"
- Reply: Doug Freyburger: "Re: "proving" a user received an email (good gosh)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
